1. Field of the Invention
The present invention is directed to a method and a security module for the real-time registration of transactions with high security against counterfeiting.
2. Description of the Prior Art
A security module operates in an environment that is potentially not monitored by the operator, for example in automatic teller machines, automatic transport ticket machines, cash registers, electronic purses, computers for personal use (laptops, notebooks, organizers), cell phones and devices that combine several of these functionalities. It can be realized in the form of a postal security module that is particularly suitable for employment in a postage meter machine or mail processing machine or computer with mail-processing function (PC frankers).
Cryptographic security measures are known for use in the generation of a unique marking for each franking imprint in mail processing, wherein a high security against counterfeiting is likewise required.
A specific secret key method is disclosed by U.S. Pat. No. 5,953,426. The secret key is stored in a secure data bank at the verification location, typically at the postal authority, and is thus kept secret. A data authentication code (DAC) is formed from the data of a message to be communicated, this being converted into a marking symbol string that can then be employed for the authentication check of the message. The data encryption standard (DES) algorithm disclosed by U.S. Pat. No. 3,962,539 is used. The latter is the best-known symmetrical crypto-algorithm and is also described in FIPS PUB 113 (Federal Information Processing Standards Publication). The symbols of the marking symbol string are numerals or letters or special characters. The openly printed information and the DAC in the OCR-readable section of the print image can thus be visually read (by humans) and machine read. A message authentification code (MAC) can be generated with a symmetrical crypto-algorithm given data of the aforementioned DAC or given messages, with such code being employed for authentication checking, similar to a digital signature. The advantage of the symmetrical crypto-algorithm is the relatively short length of the MAC and in the high speed of its calculation. This advantage contrasts with the disadvantage that the sender and recipient use a single secret key.
The advantage of an asymmetrical crypto-algorithm is established by a public key. A known asymmetrical crypto-algorithm is the RSA algorithm, which is named after the names of its inventors, R Rivest, A. Shamir and L. Adleman, and is disclosed in U.S. Pat. No. 4,405,829.
As is known, the recipient deciphers an encrypted message with a private, secret key, the encrypted message having been encrypted by the sender with the appertaining, public key. The recipient keeps his private key secret but sends the appertaining public key to potential senders. RSA is an asymmetrical method that is suitable both for communicating keys as well as for producing digital signatures. Digital signatures can be generated with the private key, whereby the public keys serve for the verification of the signature. Each digital signature algorithm uses two keys, one of the two keys being public. Implementation of the RSA-based signature algorithm in a computer results in comparatively slow processing and supplies a long signature.
A digital signature standard (DSS) has been developed that supplies a shorter digital signature and to which the digital signature algorithm (DSA) according to U.S. Pat. No. 5,231,668. This development ensued proceeding from the identification and signature according to U.S. Pat. No. 4,995,085, and proceeding from the exchange of keys according to Diffle-Hellman, (U.S. Pat. No. 4,200,770) and from the El Gamal method (El Gamal, Taher, “A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms”, IEEE Transactions and [sic] Information Theory, vol. 31, No. 4, July 1985). In the asymmetrical crypto-algorithm, the advantage of employing a public key contrasts with the disadvantage of a relatively long digital signature.
U.S. Pat. No. 6,041,704 discloses a modified public key method for producing a shorter signature. However, time-consuming data processing can be avoided only with extremely fast processors. A security area must be created in order to protect the secret private key against theft from a computer or from a postage meter machine, for the entire security of the signature is based on that the private key not being known. In contrast, the public key could be employed in a number of postal institutions for checking the signature.
Such a security area in devices of this type is created by means of a security module. It is assumed in the publication of the Deutsche Post AG, “Voraussetzungen zur Einführung von Systemen zur PC-Frankierung”, version of 26 April 2000, that each device in the system has a security module. Only one asymmetrical key pair according to RSA is utilized for the asymmetrical encryption as well as for the digital signature. The key length amounts to 1024 bits according to RSA, and encryption is performed with the public key of the recipient security module. For the digital signature, a hash value according to SHA-1 for transmission-specific data and a random number are generated, and encryption is performed with the private key of the security module. However, only two security modules can communicate with one another. Moreover, the disadvantage of a relatively long digital signature that occurs given an asymmetrical crypto-algorithm continues to exist. Compared to a relatively short MAC given a symmetrical crypto-algorithm, this means a lengthening the time for the calculation and communication, particularly since a signature is additionally generated for each RSA encryption of data.
The calculation of a hash function, in contrast, ensues two to four orders of magnitude faster than the calculation of the digital signature or the asymmetrical encryption. Given the one-way hash function used in cryptography, it is nearly impossible to find another byte sequence that yields the same hash value. The one-way hash functions should generally not be reversible. A one-way hash function MD5 developed by Ron Rivest in 1991 has a hash value that is 128 bits long but is reportedly not as secure as MD160 or SHA-1 (secure hash algorithm). The latter two employ a 160-bit hash value. SHA-1 was developed by NIST with the collaboration of the NSA and was published in 1994. The SHA-1 is a component part of the DSA.
U.S. Pat. No. 4,812,965 discloses a system for a remote inspection that reduces the requirement of a local inspection. Each act of tampering is registered by a postage meter machine and is communicated to a central station by information being printed out and sent, is sent to the central station via modem.
Cryptographic security measures are utilized in postage meter machines in a data transmission to the data center as well as in the generation of a registration in conjunction with the booking of each and every franking imprint (U.S. Pat. Nos. 5,671,146; 5,771,348 and 5,805,711). A security module and a method for securing the postal registers against manipulation and that is based on a MAC formation over the postal register data are employed in postage meter machines JetMail® of the assign (European Application 1,063,619 ). Although cryptographic methods have been used in the aforementioned solutions, they have not been used for a real-time transaction registration. Since there is no 100% security against tampering, a registration of the authorization activities of a security module in an authentic way that cannot be falsified is required.
A log datafile that covers an historic registration of all transaction data is called a translog file below. The calculating capacity and calculating speed of postage meter machines usually are limited to a solution for generating a translog filed at a coarse level, whereby instead of protecting the data of each and every individual transaction, only those of a group of transaction data that are protected with a digital signature. If each entry of the translog file were protected with a digital signature, the required franking speed could only be realized with difficulty under certain circumstances. A compromise between the implementability and coarseness can be achieved when the size of the transaction data is limited in a suitable way.
U.S. Pat. No. 6,061,671 discloses storage of a cryptographically protected copy of accounting data in a memory externally from the security module (“secure value metering unit”). The accounting data logged in this way are limited to a certain selected register data.
The calculating speed of postage meter machines can suffice for a real-time processing given application of a symmetrical crypto-algorithm. A message authentication code (MAC) could thus be appended to each message with transaction data. This approach, however, can only be embarked upon for a communication to a single institution that implements the real-time check. When two institutions do not trust one another, both cannot be equipped with the same secret key. The potential risk of detecting the secret key increases given a plurality of institutions when they are equipped with the same secret key that is unique for each security module.
It has already been proposed to generate two encryption codes for a security imprint (U.S. Pat. No. 5,390,251). Given a number of different institutions that are independent of one another, consequently, a different unique secret key would have to be stored for each of the institutions and a separate registration would have to be generated. That makes this approach inefficient for a real-time processing given transmission to third institutions.
The aforementioned postage meter machine of the type JetMail® employs a security module that uses a symmetrical crypto-algorithm (European Applications 1,035,513; 1,035,516; 1,035,517 and 1,035,518). A key transmission between data center and security module ensues in an encrypted dataset that is also MAC-protected. However, a communication with a further institution is not provided. Given a number of different institutions that are independent of one another, an individual MAC would have to be produced for each of the institutions. That, however, would considerably enlarge the amount of data to be transmitted or registered in real time when an individual registration is generated for each institution (for example, for a verification center of the manufacturer and for a verification center of the postal service).